[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: multiple root passwords...



Matthew Hixson writes:
>Okay, hear me out on this one.
>  What do you guys think about a pam module that would only be used for root
>authentication from su.  This module would be able to accept multiple root
>passwords and would have an identifier associated with each one.  So when root
>logs in with password '18dinqew' that would log to a file that "Stan" had
>apparently logged in as root.  The idea being that you could have multiple
>administrators for one machine with the ability to add/remove admins without
>disrupting the other admins' access rights.
>  Just a random thought spewed from a tired mind.

It's certainly possible.  The typical way of doing this is to have multiple
uid 0 accounts, each with the same uid, home dir, etc., but with a different
name (lroot,fooroot,whateverroot) and password, and if desired, different
shell and GECOS.  That way, all the info fits in the normal databases.

However, your idea doesn't sound like a bad one, either.  More ideas: you
can check (with getuid()) what user is doing the su and only allow the
correct password for that particular user.  That is, you have an
/etc/supasswd file that is mode 600, owner root, with
username:cryptedpasswd
pairs in it.  Your module looks up by getpwuid(getuid())->pw_name (of
course that's shorthand, you would need to do error checking :-) and
checks only against that particular password.

However, if you *only* want to know which user has just become root,
pam_pwdb already logs the uid and name of the user who is authenticating.

Hope that helps,

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development       http://www.redhat.com/~johnsonm/lad/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []